/
Lattice-Based Cryptography
Lattice-Based Cryptography

Lattice-Based Cryptography - PowerPoint Presentation

lindy-dunigan
lindy-dunigan . @lindy-dunigan
Follow
224 views | Public

Lattice-Based Cryptography - Description

Vadim Lyubashevsky Cryptography Allows for secure communication in the presence of malicious parties 2 Cryptography Allows for secure communication in the presence of malicious parties 3 Cryptography ID: 540239 Download Presentation

Tags :

encryption key sum subset key encryption subset sum lwe public based cryptography ring quantum lattices random mod pseudorandom solving

Share:

Link:

Embed:

Please download the presentation from below link :


Download Presentation - The PPT/PDF document "Lattice-Based Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation on theme: "Lattice-Based Cryptography"— Presentation transcript

Slide1

Lattice-Based Cryptography

Vadim

LyubashevskySlide2

Cryptography

Allows for secure communication in the presence of malicious parties

2Slide3

Cryptography

Allows for secure communication in the presence of malicious parties

3Slide4

Cryptography

Allows for secure communication in the presence of malicious parties

4Slide5

Symmetric-Key Cryptography

Secret key = sSlide6

Symmetric-Key Cryptography

Secret Key = s

Secret Key = s

Will still exist if quantum computers are builtSlide7

Public-Key Cryptography

Secret Key = s

Public Key = pSlide8

Public-Key Cryptography

Secret Key = s

Public Key = p

Public Key = p

Public Key = pSlide9

Mathematical

Assumptions

for

Public-Key Cryptography

N

=pq

gx=y mod p

Factoring is hard

Computing discrete logs is hard

Mostly problems from number theory

All broken once a quantum computer is built

9Slide10

Consequence of Quantum ComputingCurrent public key schemes will be broken

Quantum computers will recover all of

today’s

secrets10

+

=Slide11

Consequence of Quantum ComputingNeed to eventually migrate all internet security to quantum-resistant

schemes

Do it only once!

11Slide12

Assumptions

for

Quantum-Resilient Public-Key Cryptography

N

=pq

gx=y mod p

Factoring is hard

Finding short vectors in lattices is hard

Computing discrete logs is hard

(

f,g

) in Z[x]/(x

n

+1)

12Slide13

Ultimate Goal

Construct practical, quantum-resilient cryptography

for every device

13Slide14

The Critical Schemes14

Digital Signatures

Key Exchange

(Public Key Encryption)Slide15

Practical Lattice-Based Constructions

Key Exchange:

NTRU public-key encryption (1998)

Ring-LWE public-key encryption (2010)Digital Signatures:Recent (2013) schemes (e.g. BLISS)

15Slide16

16Lattice Cryptography ≈ Knapsack Cryptography

(done correctly)Slide17

The subset sum (knapsack) ProblemSlide18

a

i

,

T in ZM

ai are chosen randomly

T is a sum of a random subset of the aia1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Subset Sum ProblemSlide19

a

i

,

T in Z49

ai are chosen randomly

T is a sum of a random subset of the ai15 31 24 3 14 1115 + 31 + 14 = 11 (mod 49)Subset Sum ProblemSlide20

How Hard is Subset Sum?

a

i

,

T in ZM

a1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Hardness Depends on:Size of n and MRelationship between n and MSlide21

Complexity of Solving Subset Sum

M

run-time

2

log²(n)

2

n

2

n log(n)

2

poly(n)

2

Ω(n)

poly(n)

“generalized birthday attacks”

[FlaPrz05,Lyu06,Sha08]

“lattice reduction attacks”

[LagOdl85,Fri86]

2

cnSlide22

Subset Sum is “Pseudorandom”Slide23

“Computationally Indistinguishable”DY

Y

1

Y2…Yk…

DX

X1X2…Xk…D?

Z1Z2…Zk…

=

?

=?Slide24

Subset Sum is “Pseudorandom”

[

Impagliazzo-Naor

1989]:

For random a1,...,a

n in ZM and random x1,...,xn in {0,1},distinguishing the distribution(a1,...,an, a1x1+...+anxn mod M) from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xnSlide25

What About Public-Key Encryption?

Many early attempts

None of them had proofs of security

All seem to be brokenSlide26

Cryptosystem based on subset sum[L, Palacio,

Segev

2010]Slide27

Facts About Addition

4

2

9

1

32

8

Adding n numbers (written in base q) modulo

q

m

carries < n

If

q>n ,

then Adding with carries

Adding without carries

(i.e. in Z

M

) (i.e. in

Z

q

n

)

4 6 7 9

3 9 0 7

8 4 6 5

1 3 4 3

4

7

2

6

4 6 7 9

3 9 0 7

8 4 6 5

1 3 4 3

Want to add

4679

+

3907

+

8465

+

1343

mod 10

4Slide28

So...

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1 1 0 18 1 1 9

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1 1 0 1

+

2 1 1 0

0 2 2 9

=

=

NOT Pseudorandom!

Pseudorandom based on Subset Sum!Slide29

Column Subset Sum Addition

Is Also Pseudorandom

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3110111

10

09

80

+

=Slide30

“Hybrid” Subset Sum Addition Is Also Pseudorandom

4 6 7 9 0

3 9 0 7 9

8 4 6 5 8

1 6 4 3 0

1 0 0 1+

1 1 1 0 0

6 3 2 2 0

=

pseudorandom Slide31

Encryption Scheme

A

s

t

=

+At

r

+

u

v

=

Public Key

{0,1}

n

{0,1}

n

Z

q

n x n

0

m

+Slide32

Encryption Scheme

A

s

t

=

+At

r

Is pseudo-random based on the hardness

of

the subset sum problem

+

u

v

=

0

m

+Slide33

Encryption Scheme

A

s

t

=

+At

r

v

A

s

+

r

+

A

s

r

A

s

r

+

A

s

=

=

+

u

v

=

0

m

+

+

m

+

mSlide34

Encryption Scheme

A

s

t

=

+At

r

u

s

A

r

s

=

+

A

r

s

+

=

v

+

u

v

=

0

m

+

-

mSlide35

u

s

v

-

=

Encryption SchemeAs

t

=

+

A

t

r

+

u

v

=

0

m

+

+

m

represent 0 by m=0

represent 1 by m=(q-1)/2Slide36

Cryptosystem based on LWE[

Regev

2005]Slide37

Encryption Scheme

(what we needed)

A

s

t

=+At

r

Pseudorandom

“small”

+

u

v

=

0

m

+Slide38

Picking the “Carries” In Subset Sum: carries were deterministicWhat if … we pick the “carries” at random from some distribution?Slide39

So...

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

1 1 0 1

+

2 1 1 0

0 2 2 9

=

Pseudorandom

based

on

Subset Sum

4 6 7 9

3 9 0 7

8 4 6 5

1 6 4 3

2 3 0 1

+

1 3 2 1

7 2 0 3

=

Pseudorandom based on

LWE

[

Reg

05

]Slide40

(Decision) LWE Problem

. . .

a

1

a

2

s

+

e

=

b

World 1

. . .

a

2

a

1

a

m

b

uniformly random in Z

p

m

World 2

Theorem [

Regev

'05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.

a

mSlide41

LWE vs. Subset SumThe Subset Sum assumption has “deterministic noise” (is this useful for anything?)

The LWE assumption is more “versatile”

. . .

a

1

a

2

a

m

s

+

e

=

b

LWE Problem

n

2

n

s

+

=

b

Subset Sum Problem

n

2

a

2

a

1

a

n

EASY !!

nSlide42

LWE / Subset Sum Encryption

A

s

t

=

+At

r

n-bit Encryption

HaveWant

Public Key SizeÕ(n)O(n)Secret Key SizeÕ(n)

O(n)Ciphertext Expansion

Õ(n)

O(1)

Encryption Time

Õ(n

3

)

O(n)

Decryption Time

Õ(n

2

)

O(n)

+

u

v

=

0

m

+Slide43

Cryptosystem based on Ring-LWE[L, Peikert, Regev 2010]Slide44

Source of Inefficiency of LWE

+

=

Getting

n

extra random-looking numbers (i.e. t) from a secret s

requires n2 random

numbers (i.e. A) and an error vector

Wishful thinking: get

n

random numbers and produce

n

pseudo-random

numbers in “one shot”

2

8

7

3

*

1

0

2

1

A

s

t

=

+Slide45

Use Polynomialsf(x) is a polynomial

x

n

+ an-1xn-1 + … + a1x + a0R = Zp[x]/(f(x)) is a polynomial ring with

Addition mod pPolynomial multiplication mod p and f(x)Each element of R consists of n elements in ZpIn R:

small+small = small small*small = small (depending on f(x) ) Slide46

Ring-LWE cryptosystem

a

s

t

r

au

r

t

v

v

u

s

+

+

+

=

=

=

-

r

t

+

r

a

+

s

r

a

s

+

+

r

a

+

s

r

+

s

=

-

-

-

=

Public Key

m

+

m

+

m

+

m

+

Secret Key

Encryption

Decryption

m

+Slide47

Security

a

s

t

r

au++=

=

Pseudorandom??

r

t

v

+

=

m

+Slide48

Decision Learning With Errors over Rings

a

1

a

2

a3…am

s

b

1

b

2

b

3

b

m

+

=

a

1

a

2

a

3

a

m

b

1

b

2

b

3

b

m

Theorem

[LPR ‘10]: In

cyclotomic

rings,

there is a quantum reduction from solving worst-case problems in ideal lattices to solving Decision-RLWE

World 1

World 2Slide49

Security

a

s

t

r

au++=

=

Pseudorandom based on Decision Ring-LWE!!

r

t

v

+

=

m

+Slide50

Ring-LWE Encryption

a

s

t

r

au

+

+=

=n-bit Encryption

From LWE From Ring-LWEPublic Key SizeÕ(n)

Õ(n)Secret Key Size

Õ(n)

Õ(n)

Ciphertext

Expansion

Õ(n)

Õ(1)

Encryption Time

Õ(n

3

)

Õ(n)

Decryption Time

Õ(n

2

)

Õ(n)

r

t

v

+

=

m

+Slide51

Where are the lattices?51Slide52

Subset Sum and Lattices

An integer lattice is an additive subgroup of

Z

na1 a2 a3 …

an T =

mod M for xi in {0,1}a = (a1, a2, … , an, -T)L(a) = {y in Zn+1 : a∙y = 0 mod M}Notice that x=(x1, x2, … ,xn,1) is in L(a)||x|| <

 Slide53

Connection to LatticesFinding short vectors in lattices implies:

Solving subset sum Solving LWE Solving Ring-LWE

Basically breaking all of “lattice crypto”Interesting part: There are proofs in the other direction53Slide54

Connection to LatticesSolving LWE

For all lattices

, determining whether a lattice has a short vector (GapSVP) via a classical reduction

For all lattices, finding n linearly-independent short vectors (SIVP) via a quantum reductionSolving Ring-LWE over the ring Zq[x]/(f(x)) 

For all ideals of Z[x]/(f(x)), finding a short vector (Ideal-SVP) via a quantum reduction54Slide55

Purpose of Proofs in PracticeProofs guide us to the “correct design”

Sometimes the “correct design” is surprising

Example:

We know decision problems are easy in the ring Z[x]/(xn-1) because x-1 is a factorTrying to get a security reduction led us to choose a polynomial f(x) irreducible over the integers

But working over the ring Zq[x]/(f(x)) where f(x) factors completely over Zq is OK – even sometimes necessary!

55Slide56

Getting a Usable SchemeSetting exact parameters is trickier

If

we follow the proof, may be too inefficient

If we deviate, we may be less secureNeed to have a feeling for what’s importantNo substitute for cryptanalysisProofs tell the cryptanalyst what to concentrate on

56Slide57

SummaryPractical designs for all the basic schemes

Public-key encryption

Digital signatures Identity-based encryptionPolynomial-time constructions for many other schemes Group signatures Fully-homomorphic encryption Attribute-based encryption

Many others 57

Authenticated key exchangeThe only public-key primitive really needed on the internetSlide58

Some Research Directions

Polynomial-time constructions for many other schemes

Group signatures Fully-homomorphic encryption Attribute-based encryption Many others

58

Come up with much better designsSlide59

Some Research Directions59

P

ractical designs for all the basic schemes

Public-key encryption Digital signatures Identity-based encryption

Authenticated key exchange

Cryptanalysis Efficient (quantum) algorithm for finding short vectors in ideal lattices? If yes, then the hardness foundation is in question What is the best (quantum) algorithm for Ring-LWE? Need this to set concrete parametersSlide60

Some Research Directions60

P

ractical designs for all the basic schemes

Public-key encryption Digital signatures Identity-based encryption

Authenticated key exchange

Standardization Algorithmic problems (e.g. efficient sampling) Want TLS and IKE to use lattices (and use them well) Many trade-offs between speed/size possible Resource-constrained devices Standards may need to be “application-driven” Slide61

THANK YOU

61